nextcloud/.github/workflows/update-cacert-bundle.yml

# SPDX-FileCopyrightText: 2022 Nextcloud GmbH and Nextcloud contributors
# SPDX-License-Identifier: MIT
name: Update CA certificate bundle

on:
  workflow_dispatch:
  schedule:
    - cron: "5 2 * * *"

permissions:
  contents: read

jobs:
  update-ca-certificate-bundle:
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        branches: ['master', 'stable31', 'stable30', 'stable29',  'stable28',  'stable27', 'stable26', 'stable25', 'stable24', 'stable23', 'stable22']

    name: update-ca-certificate-bundle-${{ matrix.branches }}

    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
          ref: ${{ matrix.branches }}
          submodules: true

      - name: Download CA certificate bundle from curl
        run: curl --etag-compare build/ca-bundle-etag.txt --etag-save build/ca-bundle-etag.txt --output resources/config/ca-bundle.crt https://curl.se/ca/cacert.pem

      - name: Create Pull Request
        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e
        with:
          token: ${{ secrets.COMMAND_BOT_PAT }}
          commit-message: 'fix(security): Update CA certificate bundle'
          committer: GitHub <noreply@github.com>
          author: nextcloud-command <nextcloud-command@users.noreply.github.com>
          signoff: true
          branch: 'automated/noid/${{ matrix.branches }}-update-ca-cert-bundle'
          title: '[${{ matrix.branches }}] fix(security): Update CA certificate bundle'
          body: |
            Auto-generated update of CA certificate bundle from [https://curl.se/docs/caextract.html](https://curl.se/docs/caextract.html)            
          labels: |
            dependencies
            3. to review            
          reviewers: ChristophWurst, miaulalala, nickvergessen